Connector [accessrequests.alauda.io/v1alpha1]
connectors.alauda.io group
AccessRequest represents a subject's access application for a specific Connector, scoped to the lifecycle of a context object (Pod). It tracks matched AccessPolicies, approval check states, and authorization status via conditions.
v1alpha1 versionspec object
AccessRequestSpec defines the desired state of AccessRequest.
connectorRef object required
ConnectorRef references the target Connector in the same namespace. Only Name is required; Namespace is always the same as the AccessRequest.
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
context object required
Context provides lifecycle context for this request. Currently only Kind=Pod is supported.
objectRef object required
ObjectRef points to the lifecycle object (e.g., a Pod). Currently only Kind=Pod is supported.
apiVersion string
API version of the referent.
fieldPath string
If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.
kind string
Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
name string
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
namespace string
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
resourceVersion string
Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
uid string
UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
subject object required
Subject is the identity requesting access (typically a ServiceAccount).
apiGroup string
APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
kind string required
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
name string required
Name of the object being referenced.
namespace string
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
status object
AccessRequestStatus records the observed state of AccessRequest.
annotations object
Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.
conditions []object
Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
lastTransitionTime string
LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).
message string
A human readable message indicating details about the transition.
reason string
The reason for the condition's last transition.
severity string
Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.
status string required
Status of the condition, one of True, False, Unknown.
type string required
Type of condition.
observedGeneration integer
ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.
policies []object
AccessPolicyMatchedStatus records a matched AccessPolicy and its check results.
matchedChecks []object
MatchedCheck records one matched Check Duck Type resource instance.
condition object required
Condition records the computed approval condition of this check.
lastTransitionTime string
LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).
message string
A human readable message indicating details about the transition.
reason string
The reason for the condition's last transition.
severity string
Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.
status string required
Status of the condition, one of True, False, Unknown.
type string required
Type of condition.
name string required
Name matches CheckRule.name in the AccessPolicy.
ref object required
Ref identifies the matched Check Duck Type resource instance.
apiVersion string
API version of the referent.
fieldPath string
If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.
kind string
Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
name string
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
namespace string
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
resourceVersion string
Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
uid string
UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
name string required
Name is the AccessPolicy name, used as the list map key.
permissionSync object
PermissionSync records policy-level permission synchronization condition.
lastTransitionTime string required
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
message string required
message is a human readable message indicating details about the transition. This may be an empty string.
observedGeneration integer
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
reason string required
reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
status string required
status of the condition, one of True, False, Unknown.
type string required
type of condition in CamelCase or in foo.example.com/CamelCase.
policySpec object required
PolicySpec is the full AccessPolicy spec snapshot at match time.
checkGrantedPermission object
CheckGrantedPermission defines permissions granted only after approval checks pass.
spec object required
Spec contains the check rules and the permissions to grant after all checks pass.
checks []object required
CheckRule defines a check rule that must pass for a permission to be granted. it contains either a reference to a CheckRuleSpec stored in a ConfigMap or the CheckRuleSpec itself. you can specify either Ref or Spec, but not both.
name string required
Name is the identifier of this check rule, referenced in AccessRequest status.
ref object
Ref is a reference to a CheckRuleSpec stored in a ConfigMap.
configMap object required
ConfigMap references the ConfigMap containing the CheckRuleSpec.
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
spec object
Spec contains the check rule specification.
selector object required
Selector specifies how to find the Check Duck Type resource.
matchExpressions []object
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
objectRef object required
ObjectRef specifies the reference to the object to check against. kind and apiVersion are required to distinguish different duck types
apiVersion string
API version of the referent.
fieldPath string
If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.
kind string
Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
name string
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
namespace string
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
resourceVersion string
Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
uid string
UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
state object
State configures how the check result is computed. If empty, the default duck-type field status.state is used.
rego string
Rego is an OPA Rego script (package "approval") that receives the full check resource as input and must output status = {"state": "approved|rejected|pending|passed"}. If empty, the default duck-type field status.state is used.
roleTemplate object required
RoleTemplate defines the rules for the generated Role.
ref object
Ref specifies a reference to a RoleTemplate
configMap object
ConfigMap specifies a local reference to a ConfigMap whose data["rules"] contains the YAML-encoded list of rbacv1.PolicyRule entries. Only ConfigMaps in the connectors system namespace are supported.
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
connector object
Connector specifies which Connectors this policy applies to. If empty, the policy applies to all Connectors in the namespace.
matchExpressions []object
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
names []string
Names is an explicit list of resource names to match.
defaultPermission object
DefaultPermission defines the Role and RoleBinding automatically granted without any approval check.
bindingTemplate object required
BindingTemplate defines the subjects for the generated RoleBinding.
serviceAccounts []object
ServiceAccountTemplate defines a template for binding ServiceAccounts. it extends rbacv1.Subject with dynamic label-based selectors.
names []string
Names is the list of service account names to bind.
namespaceSelector object
NamespaceSelector selects Namespaces by label and/or name.
matchExpressions []object
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
names []string
Names is an explicit list of resource names to match.
roleTemplate object required
RoleTemplate defines the rules to include in the generated Role.
ref object
Ref specifies a reference to a RoleTemplate
configMap object
ConfigMap specifies a local reference to a ConfigMap whose data["rules"] contains the YAML-encoded list of rbacv1.PolicyRule entries. Only ConfigMaps in the connectors system namespace are supported.
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names